Ok, so I think this is a bug in the CORS filter as it is implemented in WebAPI. I’m no expert on these matters, but after reading this article, I’m getting the impression that disabling cors should actually return an Access-Control-Allow-Origin header in the response. In webAPI, if cors is disabled, it doesn’t return any response header and therefore I believe leads to the CORS error in the browser (it needs to see the header).
My suggestion: change cors.enabled to true sot hat the hearder is retunred, but set the security.origin to * so that it will send a header with Access-Control-Allow-Origin: * in the reponse.